I recently installed a NAS server in my home and wanted to give my family and relatives access to it so that they could use it as a remote backup server for photos and stuff. To keep it as secure as possible I only wanted to give them SFTP access.
(All commands below are executed as root.)
First I created a group to group them together and then added the users to that group. I choose to disable their password as I only allow logins using SSH keys.
addgroup sftponly
# Repeat the line below for each user
adduser --disabled-password --ingroup sftponly ausername
As for the upload directory I wanted them to upload their data to my raid1 volume mounted under /data/pool1. Since OpenSSH has some requirements for the permission on the directories used as chroot I created the following directory layout.
cd /data/pool1
mkdir -m 751 sftp
ln -s . sftp/home
# Repeat the lines below for each user
mkdir -m 700 sftp/ausername
chmod ausername.root sftp/ausername
The home symlink is there to make the initial SFTP directory /ausername and the sftp directory is created with 751 to disallow directory listing in the top directory.
Then, as “all components of the pathname must be root-owned directories that are not writable by any other user or group” and /data/pool1 is not root owned I created a bind mount by adding the following to /etc/fstab.
/data/pool1/sftp /srv/sftp bind bind 0 0
Before the initial mount, the directory must be created.
mkdir /srv/sftp
mount /srv/sftp
Then, the final part was to configure OpenSSH by adding the following lines at the end of /etc/ssh/sshd_config.
Match Group sftponly
ChrootDirectory /srv/sftp
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Remember to restart the server afterwards.
Comments Off
